Blinkenlights won’t save you, user, piggyback is going for broke
Mac malware could piggy-back on your legitimate webcam sessions – yep, the ones you’ve initiated – to locally record you without detection, a leading security researcher warns.
Patrick Wardle, a former NSA staffer who heads up research at infosec biz Synack, outlined the vulnerability together with counter-measures he’s developed during a keynote presentation at the Virus Bulletin conference. Peeping Tim-stye malware that abuses the video capabilities of an infected computers to record an unwitting user is a threat to both Windows and Mac users. Mac malware such as Eleanor, Crisis, Mokes and others, all attempt to spy on Mac OS X users via their webcam.
Luckily, modern Macs contain a hardware-based LED indicator that can alert users when the camera is in use.
And physically covering the built-in camera – a la Mark Zuckerberg – also provides a low-tech approach to locking out snoopers, with the downside that it also prevents legitimate use.
Wardle has uncovered a fresh dimension to the problem.
After examining various “webcam-aware” OS X malware samples, Wardle identified a new “capability” that would permit this type of malware to stealthily monitor the system for legitimate user-initiated video sessions before surreptitious piggyback on these conversations in order to covertly record the user.
There are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
During his presentation, titled Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings, Wardle outlined the threat together with techniques geared towards detecting “secondary” processes that attempt to access an existing video session on OS X.
“I have not seen any malware using this technique at this time [but] this is something that would be trivial for malware to do, and there aren’t any tools to detect this capability,” Wardle explained, adding there “may be malware already (ab)using this technique that we just haven’t detected”.
Malware along the lines Wardle discussed would be able to record both sides of a conversation once it detects the webcam being used.
Waddle has a released a free Oversight tool that he says can detect and identify any process that accesses the webcam before giving users the ability to either block or allow a process.
All these notifications/alerts are logged, so a system admin (say on a corporate network) could reactively also look through the logs to see what was using the webcam. ®